b"                           SOCIAL SECURITY\n                                  November 9, 2005\n\n\nThe Honorable Jo Anne B. Barnhart\nCommissioner\n\nDear Ms. Barnhart:\n\nIn November 2000, the President signed the Reports Consolidation Act of 2000\n(Pub. L. No. 106-531), which requires Inspectors General to provide a summary and\nassessment of the most serious management and performance challenges facing\nFederal agencies and the agencies\xe2\x80\x99 progress in addressing them. This document\nresponds to the requirement to include this Statement in the Social Security\nAdministration\xe2\x80\x99s Fiscal Year 2005 Performance and Accountability Report.\n\nIn September 2004, we identified six significant management issues facing the Social\nSecurity Administration for Fiscal Year (FY) 2005.\n\n   \xe2\x80\xa2   Social Security Number Integrity and Protection\n   \xe2\x80\xa2   Management of the Disability Process\n   \xe2\x80\xa2   Improper Payments\n   \xe2\x80\xa2   Internal Control Environment and Performance Measures\n   \xe2\x80\xa2   Critical Infrastructure Protection/Systems Security\n   \xe2\x80\xa2   Service Delivery\n\xe2\x80\xa2\nI congratulate you on the progress you have made during FY 2005 in addressing these\nchallenges. My office will continue to focus on these issues in the current FY. I look\nforward to working with you in continuing to improve the Agency\xe2\x80\x99s ability to address\nthese challenges and meet its mission efficiently and effectively. I am providing you\nwith the OIG assessment of these six management challenges.\n\n                                                  Sincerely,\n\n\n\n                                                  S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                                  Inspector General\n\x0c Inspector General Statement\n             on the\nSocial Security Administration\xe2\x80\x99s\nMajor Management Challenges\n\n\n\n\n         November 2005\n           A-02-06-16050\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c         Social Security Number Integrity and Protection\nIn Fiscal Year (FY) 2005, the Social Security Administration (SSA) issued over\n17 million original and replacement Social Security number (SSN) cards and received\napproximately $588 billion in employment taxes related to earnings under assigned\nSSNs. Protecting the SSN and properly posting the wages reported under SSNs are\ncritical to ensuring eligible individuals receive the full benefits due them.\n\nTo do so, SSA must employ effective front-end controls in its enumeration process. We\napplaud the significant strides the Agency has made over the past several years to\nensure SSN integrity. Nevertheless, throughout society, incidences of SSN misuse\ncontinue to rise. Accordingly, to further protect SSN integrity, we believe SSA should\n(1) encourage public and private entities to limit collection and use of the SSN as a\npersonal identifier, (2) continue to address identified weaknesses in its information\nsecurity environment to better safeguard SSNs, and (3) continue to coordinate with\npartner agencies to pursue any data sharing agreements that would increase data\nintegrity.\n\nAnother important part of ensuring SSN integrity is the proper posting of earnings\nreported under SSNs. Properly posting earnings ensures eligible individuals receive the\nfull retirement, survivor and/or disability benefits due them. The Earnings Suspense File\n(ESF) is the Agency\xe2\x80\x99s record of annual wage reports for which wage earners\xe2\x80\x99 names\nand SSNs fail to match SSA\xe2\x80\x99s records. As of October 2004, SSA had posted\napproximately 9 million wage items to its ESF for Tax Year 2002, which is the latest\navailable data, representing about $56 billion in wages. This was before some planned\nedits, which may have further reduced this number.\n\nWhile SSA has limited control over the factors that cause the volume of erroneous wage\nreports submitted each year, there are still areas where the Agency can improve its\nprocesses. For example, SSA can improve wage reporting by encouraging greater use\nof the Agency\xe2\x80\x99s SSN verification programs. SSA also needs to coordinate with other\nFederal agencies with separate, yet related, mandates.\n\nAnother area of concern related to SSN integrity is the use of nonwork SSNs by\nnoncitizens for unauthorized employment in the United States. SSA assigns nonwork\nSSNs to noncitizens lacking appropriate work authorization only if they can provide\nevidence of a valid nonwork reason. In recent years, SSA has strictly limited the\nassignment of such numbers. Furthermore, SSA monitors noncitizens who show\nearnings under a nonwork SSN and reports this information to the Department of\nHomeland Security (DHS). Nonetheless, our audits have noted a number of issues\nrelated to nonwork SSNs, including (1) evidence provided to obtain a nonwork SSN,\n(2) reliability of nonwork SSN information in SSA\xe2\x80\x99s records, (3) the significant volume of\nwages reported under nonwork SSNs, and (4) the payment of benefits to noncitizens\nwho qualified for their benefits while working in the country without proper authorization.\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                       1\n\x0cIn March 2004, Congress placed new restrictions on receipt of SSA benefits by\nnoncitizens who are not authorized to work in the United States. Under the Social\nSecurity Protection Act (SSPA) of 2004 (Pub. L. No. 108-203), a noncitizen whose SSN\nwas assigned on or after January 1, 2004, must have been issued a SSN for work\npurposes on or after this date or been admitted to the United States at any time as a\nnonimmigrant visitor for business or as an alien crewman to be entitled to Title II or End-\nStage Renal Disease Medicare benefits based on the noncitizen\xe2\x80\x99s earnings.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA has taken steps to improve controls within its enumeration process. SSA verifies\nall immigration documents before assigning SSNs to noncitizens. Additionally, SSA\nrequires (1) mandatory interviews for all original SSN applicants age 12 and over\n(lowered from age 18) and (2) evidence of identity for all children, regardless of age. In\naddition, SSA established Enumeration Centers in Brooklyn, New York and Las Vegas,\nNevada that focus exclusively on assigning SSNs and issuing SSN cards. Also, in\nFY 2005, SSA implemented new systems enhancements that simplified the\ninterpretation of, and compliance with, SSA\xe2\x80\x99s complex enumeration policies.\n\nIn addition to these improvements, SSA is planning to implement several other\nenhancements that will better ensure SSN protection. These endeavors were required\nby the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004\n(Pub. L. No. 108-458). SSA\xe2\x80\x99s plans include (1) restricting the issuance of multiple\nreplacement Social Security cards to 3 per year and 10 in a lifetime; (2) requiring\nindependent verification of any birth record submitted by an original SSN applicant,\nother than for purposes of enumeration at birth; and (3) coordinating with DHS to further\nimprove the security of Social Security cards and numbers.\n\nSSA has also taken steps to reduce the size and growth of the ESF. In June 2005, the\nAgency expanded its voluntary Social Security Number Verification Service (SSNVS) to\nall interested employers nationwide. SSNVS allows employers to verify the names and\nSSNs of employees before reporting their wages to SSA.\n\nSSA coordinates with other agencies to encourage improved wage reporting. For\nexample, SSA participates in a joint program with DHS, called the Basic Pilot, which\nverifies the names and SSNs of employees as well as their citizenship and authorization\nto work in the economy. In December 2004, the Basic Pilot program was made\navailable to employers nationwide. Furthermore, the Agency is also collaborating with\nthe Internal Revenue Service to achieve more accurate wage reporting by employers\nwith a high volume of wage items in the ESF.\n\nSSA is also in the process of modifying the information it shares with employers. Under\nIRTPA, the Agency is required to add both death and fraud indicators to SSNVS for\nemployers, State agencies issuing driver\xe2\x80\x99s licenses and identity cards, and to other\nverification routines as determined appropriate by the Commissioner of Social Security.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                      2\n\x0c                 Management of the Disability Process\nSSA needs to improve critical parts of the disability process \xe2\x80\x93 determining disabilities,\nthe accuracy of disability payments, and the integrity of the disability programs. In\nJanuary 2003, the Government Accountability Office (GAO) added modernizing Federal\ndisability programs\xe2\x80\x94including SSA\xe2\x80\x99s\xe2\x80\x94to its high-risk list. GAO did this, in part,\nbecause of outmoded concepts of disability, lengthy processing times, and decisional\ninconsistencies.\n\nSSA needs to continue to improve the process used to determine claimant disability by\nfocusing on initiatives that will improve the timeliness and quality of its services. For\nexample, the Office of Hearings and Appeals\xe2\x80\x99 (OHA) average processing time has\nincreased significantly from 308 days in FY 2001 to 415 days in FY 2005. Further, the\nhearings pending workload for FY 2005 was 708,164 cases, whereas it was\n392,387 cases in FY 2001. This represents an 80 percent increase from FY 2001.\nSSA\xe2\x80\x99s efforts to address its pending workload did not meet the goals established for\nFY 2005. In FY 2005, SSA processed 519,359 hearings, approximately 99 percent of\nits goal of 525,000. Lastly, SSA\xe2\x80\x99s productivity goal in this area for FY 2005 was to\nprocess 103 hearings per work year. In FY 2005, it processed 101.7 hearings per work\nyear, under its goal but over the 100.2 hearings processed per work year reached in\nFY 2004.\n\nAnother area SSA needs to improve is ensuring the correct benefits are paid to the\ncorrect individuals. Continuing disability reviews (CDR) are critical to determining\nwhether a disabled beneficiary continues to be eligible for benefits. In an April 2005\nreport, we estimated that approximately $12.4 million was overpaid to about\n11,880 recipients because SSA did not previously consider all of their earnings when\ncalculating Supplemental Security Income (SSI) payment amounts. We also estimated\nthat, if the Agency resolved the earnings discrepancies, approximately an additional\n$74.7 million in overpayments to about 61,380 recipients would have been recognized.\n\nFraud is an inherent risk in SSA\xe2\x80\x99s disability programs. Key risk factors in the disability\nprogram are individuals who feign or exaggerate symptoms to become eligible for\ndisability benefits or who, after becoming eligible to receive benefits, knowingly fail to\nreport medical improvements or work activity. For example, one beneficiary with a\ndiagnosis of affective disorders (a psychiatric impairment) started receiving disability\nbenefits in 1997. Office of the Inspector General (OIG) investigators observed activities\nthat seemed inconsistent with the beneficiary\xe2\x80\x99s statements regarding limitations due to\nthe beneficiary\xe2\x80\x99s impairment; and therefore, we requested SSA conduct a CDR. As a\nresult of this CDR, SSA found that medical improvement had occurred and stopped the\nbenefits\xe2\x80\x94resulting in 12 months of savings of $6,948. If SSA had not conducted the\nCDR at the time of our request, benefits would have continued to be paid to this\nindividual.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                      3\n\x0cSSA Has Taken Steps to Address this Challenge\n\nOn July 27, 2005, the Commissioner announced proposed regulations in the Federal\nRegister which outlined her plan to improve the disability process. The proposed\nregulations would:\n\n   \xe2\x80\xa2   Establish a Quick Disability Determination process through which State agencies\n       will expedite initial determinations for claimants who are clearly disabled;\n   \xe2\x80\xa2   Create a Federal Expert Unit to augment and strengthen medical and vocational\n       expertise for disability adjudicators at all levels of the disability determination\n       process;\n   \xe2\x80\xa2   Eliminate the State agency reconsideration step and terminate the disability\n       prototype that SSA is currently conducting in 10 States;\n   \xe2\x80\xa2   Establish Federal reviewing officials to review State agency initial determinations\n       upon the request of claimants;\n   \xe2\x80\xa2   Preserve the right of claimants to request and be provided a \xe2\x80\x9cde novo\xe2\x80\x9d hearing,\n       which will be conducted by an Administrative Law Judge (ALJ);\n   \xe2\x80\xa2   Close the record after the ALJ issues a decision, but allow for the consideration\n       of new and material evidence under certain circumstances;\n   \xe2\x80\xa2   Gradually shift certain Appeals Council functions to a newly established Decision\n       Review Board; and\n   \xe2\x80\xa2   Strengthen in-line and end-of-line quality review mechanisms at the State\n       agency, reviewing official, hearing, and Decision Review Board levels of the\n       disability determination process.\n\nIn addition to the Commissioner\xe2\x80\x99s proposed improvements to the disability process, the\nAgency is in the process of transitioning to the electronic disability folder. The electronic\ndisability folder allows disability claims information to be stored electronically and\ntransmitted between field offices, hearing offices, and Disability Determination Services\n(DDS). As of August 2005, four State DDSs - Mississippi, Illinois, Hawaii, and Nevada -\nhave been certified to operate fully in the electronic folder. By January 2007, SSA\nexpects all DDSs and disability quality branches to be operating in the electronic\ndisability folder.\n\nSSA is addressing the integrity of its disability programs through the Cooperative\nDisability Investigations (CDI) program. The CDI program\xe2\x80\x99s mission is to obtain\nevidence that can resolve questions of fraud in SSA\xe2\x80\x99s disability programs. SSA\xe2\x80\x99s\nOffices of Operations and Disability Programs, along with the Office of the Inspector\nGeneral, manage the CDI program. There are 19 CDI units operating in 17 States.\nSince the program\xe2\x80\x99s inception in FY 1998, CDI efforts have resulted in over $533 million\nin projected savings to SSA\xe2\x80\x99s disability programs and over $311 million in projected\nsavings to non-SSA programs. During FY 2005, CDI units saved SSA over $123 million\nby identifying fraud and abuse related to initial and continuing claims within the disability\nprogram.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                        4\n\x0c                                Improper Payments\nImproper payments are defined as payments that should not have been made or were\nmade for incorrect amounts. Examples of improper payments include inadvertent\nerrors, payments for unsupported or inadequately supported claims, or payments to\nineligible beneficiaries. Furthermore, the risk of improper payments increases in\nprograms with a significant volume of transactions, complex criteria for computing\npayments, and an emphasis on expediting payments.\n\nThe President and Congress have expressed interest in measuring the universe of\nimproper payments within the Government. In August 2001, the Office of Management\nand Budget (OMB) published the FY 2002 President's Management Agenda (PMA),\nwhich included a Government-wide initiative for improving financial performance,\nincluding reducing improper payments. As of the first quarter in FY 2005, OMB\nimplemented a PMA program initiative (Eliminating Improper Payments) specifically\ntargeting Agency action to reduce improper payments\xe2\x80\x94and SSA was rated as making\nprogress in this area as of June 2005. In November 2002, the Improper Payments\nInformation Act of 2002 (Pub. L. No. 107-300) was enacted, and OMB issued guidance\nin May 2003 on implementing this law. Under the Act, SSA must estimate its annual\namount of improper payments and report this information in the Agency's annual\nPerformance and Accountability Report (PAR). OMB will then work with SSA to\nestablish goals for reducing improper payments in its programs.\n\nSSA issues billions of dollars in benefit payments under the Old-Age, Survivors and\nDisability Insurance (OASDI) and SSI programs; and some improper payments are\nunavoidable. In FY 2004, SSA issued about $522 billion in benefit payments to about\n52 million people. Since SSA is responsible for issuing timely benefit payments for\ncomplex entitlement programs to millions of people, even the slightest error in the\noverall process can result in millions of dollars in over- or underpayments. In FY 2005,\nSSA reported that it detected over $4 billion in overpayments.\n\nIn January 2005, OMB issued a report on Improving the Accuracy and Integrity of\nFederal Payments which noted that seven Federal programs\xe2\x80\x94including SSA\xe2\x80\x99s OASDI\nand SSI programs\xe2\x80\x94accounted for approximately 95 percent of the improper payments\nin FY 2004. SSA\xe2\x80\x99s OASDI and SSI programs represented 10 percent of this amount.\nHowever, this report also noted that SSA had reduced the amount of SSI improper\npayments by more than $100 million since levels reported in FY 2003.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA has been working to improve its ability to prevent over- and underpayments by\nobtaining beneficiary information from independent sources sooner and using\ntechnology more effectively. For example, the Agency is continuing its efforts to prevent\nimproper payments after a beneficiary dies through the use of Electronic Death\nRegistration information. Also, the Agency's CDR process is in place to identify and\nprevent beneficiaries who are no longer disabled from receiving payments. Additionally,\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                     5\n\x0cin FY 2005, SSA implemented eWork\xe2\x80\x94a new automated system to control and process\nwork related CDRs\xe2\x80\x94which should strengthen SSA's ability to identify and prevent\nimproper payments to disabled beneficiaries who are working.\n\nSSA has worked with the OIG to prevent and recover improper payments.\n\n   \xe2\x80\xa2   For the FY 2005 OIG report, Individuals Receiving Benefits Under Multiple Social\n       Security Numbers at the Same Address, SSA worked with the OIG to identify and\n       assess about $9.2 million in overpayments\xe2\x80\x94and 6 percent of these funds were\n       recovered during the audit (as of April 2005), with SSA continuing to take action\n       to recover the remaining funds.\n\n   \xe2\x80\xa2   In another FY 2005 OIG report, School Attendance by Student Beneficiaries over\n       Age 18, we estimated SSA disbursed about $70 million in incorrect payments to\n       32,839 students. SSA agreed with our recommendation to ensure that the\n       overpayments are established and that subsequent collection activities are\n       initiated for those payments.\n\nWe have helped the Agency reduce improper payments to prisoners and improper SSI\npayments to fugitive felons. However, our work has shown that improper payments\xe2\x80\x94\nsuch as those related to workers' compensation\xe2\x80\x94continue to diminish the Social\nSecurity trust funds. For example, in the FY 2005 OIG report, The Social Security\nAdministration\xe2\x80\x99s Clean-up of Title II Disability Insurance Cases with a Workers\xe2\x80\x99\nCompensation Offset, we found under- and overpayment errors totaling over\n$500 million continued to exist in 110,000 workers\xe2\x80\x99 compensation cases even after they\nwere reviewed by SSA in an effort to determine the correct payment amount.\nAdditionally, with the passage of SSPA, SSA has new opportunities to prevent improper\npayments and new challenges in implementing provisions of the law\xe2\x80\x94such as OASDI\nbenefits to fugitives.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                   6\n\x0c Internal Control Environment and Performance Measures\nInternal control comprises the plans, methods, and procedures used to meet missions,\ngoals, and objectives. Internal controls help safeguard assets and prevent and detect\nerrors and fraud. Assessing the internal control environment is important since internal\ncontrol is a critical part of performance-based management. SSA\xe2\x80\x99s internal control\nenvironment helps its managers achieve desired results through effective stewardship\nof public resources.\n\nAnother important part of performance-based management is performance\nmeasurement. Congress, external interested parties, and the general public need\nsound data to monitor and evaluate SSA\xe2\x80\x99s performance. The necessity for good\ninternal data Government wide has resulted in the passage of several laws, including\nthe Government Performance and Results Act of 1993 (Pub. L. No. 103-62). The Act,\nin part, requires the development of annual performance measures and goals. In\naddition to the legislation calling for greater accountability within the Government, the\nPMA has focused on the integration of the budget and performance measurement\nprocesses.\n\nOne of SSA\xe2\x80\x99s primary functions is the processing of disability claims. SSA is\nresponsible for implementing policies for the development of disability claims under the\nDisability Insurance (DI) and SSI programs. Initial disability determinations under both\nDI and SSI are performed by DDSs in each State in accordance with Federal\nregulations. Each DDS is responsible for determining whether or not claimants are\ndisabled and ensuring adequate evidence is available to support its determinations. To\nmake proper disability determinations, each DDS is authorized to purchase medical\nexaminations, x-rays, and laboratory tests on a consultative basis to supplement\nevidence obtained from the claimants\xe2\x80\x99 physicians or other treating sources.\n\nThere are 52 DDSs located in each of the 50 States, the District of Columbia, and\nPuerto Rico. SSA reimburses the DDS for 100 percent of allowable expenditures up to\nits approved funding authorization. In FY 2005, SSA allocated over $1.7 billion to fund\nDDS operations. Given the amount of funds allocated, adequate controls are needed to\nensure the funds are used in accordance with the applicable laws and policies, and to\nmeet the programs\xe2\x80\x99 intended purposes.\n\nDuring FY 2005, we conducted 10 DDS administrative cost audits. In 5 of the 10 audits,\ninternal control weaknesses were identified. The control weaknesses identified\naddressed areas such as fund transfers between accounts, cash activities and physical\nsecurity. The lack of effective internal controls and proper oversight of DDS cash\nmanagement activities can result in the mismanagement of Federal resources and\nincrease the risk of fraud.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                      7\n\x0cIn the 10 DDS administrative cost audits, we reported unallowable indirect costs of over\n$3,989,000, as well as $39,600 in unallowable direct costs. As a result, we concluded\nthat SSA\xe2\x80\x99s Regional Offices needed to improve their oversight of the costs DDSs\nclaimed.\n\nWe audited the performance data used to measure seven of SSA\xe2\x80\x99s annual performance\nmeasures.\n   \xe2\x80\xa2   Number of Job Enrichment Opportunities\n   \xe2\x80\xa2   Average Processing Times for Initial Disability Claims\n   \xe2\x80\xa2   Average Processing Times for Hearings\n   \xe2\x80\xa2   DDS Net Accuracy Rate\n   \xe2\x80\xa2   Percent Improvement in Agency Productivity\n   \xe2\x80\xa2   Supplemental Security Income Aged Claims Processed Per Work Year\n   \xe2\x80\xa2   DDS Cases Processed Per Work Year\n\nWe concluded that the data used to measure one of the seven measures was reliable.\nWe found the data used for another of the seven measures to be unreliable. We\nconcluded that the data was unreliable since the controls in place to ensure the\naccuracy of the measure were not working as intended. We could not determine the\nreliability of the data used for the remaining five performance measures since there\nwere data retention limitations for the detailed data used to calculate the performance\nmeasure results.\n\nSSA Has Taken Steps to Address this Challenge\nThe Agency has taken steps to address the internal control weaknesses, such as cash\nmanagement and physical security, identified at the DDSs we reviewed. The DDS\noffices have consulted with regional SSA offices to address the issue of the transfer of\nfunds. SSA has instituted a process to correct any future improprieties of this kind in a\nmanner that will match cash draws to SSA disbursement records.\n\nSSA has demonstrated a commitment to the production of comprehensive and accurate\ndata on its financial statements, annual performance plans and reports, and individual\nperformance measures. SSA is the only Federal agency that has received the\nAssociation of Government Accountant\xe2\x80\x99s Certificate of Excellence in Accountability\nReporting for its Performance and Accountability Report every year since the award\nprogram began in FY 1998. Also, SSA obtained a \xe2\x80\x9cgreen\xe2\x80\x9d rating on the PMA Scorecard\nin the areas of financial management and budget and performance integration.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                      8\n\x0c    Critical Infrastructure Protection and Systems Security\nThe information technology revolution has changed the way Governments and\nbusinesses operate, creating a greater reliance on computer systems. Unfortunately, in\ntoday\xe2\x80\x99s world, every computer system is a potential target. Any disruptions in the\noperation of information systems that are critical to the Nation\xe2\x80\x99s infrastructure should be\ninfrequent, manageable, of minimal duration and cause the least damage possible. The\nGovernment must make continuous efforts to secure information systems for critical\ninfrastructures. Protection of these systems is essential to the operation of the\ntelecommunications, energy, financial services, manufacturing, water, transportation,\nhealth care, and emergency service sectors.\n\nSSA\xe2\x80\x99s information security challenge is to understand and mitigate system\nvulnerabilities. This means ensuring the security of its critical information infrastructure,\nsuch as access to the Internet and the Agency\xe2\x80\x99s networks. Since 1997, SSA has had\nan internal controls reportable condition concerning its protection of information based\non weaknesses in controls over access to its electronic information, technical security\nconfiguration standards, suitability, and continuity of systems operations. Reportable\nconditions are matters that represent significant deficiencies in the design or operation\nof an internal control that could adversely affect SSA's ability to meet the internal control\nobjectives. Access to the information, or access control, is the most important of these\nfactors. This reportable condition was resolved on September 30, 2005.\n\nWhile protecting its critical information infrastructure, the Agency is tasked with offering\nmore electronic services to the public. The Expanded Electronic Government, or\ne-Government, initiative of the PMA calls for the expanded use of the Internet to provide\nfaster and better access to government services and information. Specifically,\ne-Government calls for the Agency to help citizens find information and obtain services\norganized according to their needs, and not according to the divisions created by the\nAgency\xe2\x80\x99s organizational chart. SSA needs to ensure that the expansion of its electronic\nservices does not increase the risks to its systems.\n\nAdditionally, SSA must address new Homeland Security Presidential Directives (HSPD).\nHSPD 7 requires all Federal departments and agency heads to identify, prioritize,\nassess, remediate, and protect their respective critical infrastructure and key resources.\nHSPD 12 mandates the development of a common identification \xe2\x80\x98Standard\xe2\x80\x99 for all\nFederal employees and contractors.\n\nSSA Has Taken Steps to Address this Challenge\n\nSSA successfully addressed the key issues surrounding the reportable condition. For\nexample, the Agency developed and implemented configuration standards for its major\noperating system platforms and software components. Further, SSA began an\nextensive monitoring process to ensure that the Agency\xe2\x80\x99s over 100,000 servers and\nworkstations were in compliance with the appropriate configuration standards. In\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                        9\n\x0caddition, SSA established and implemented access controls to ensure appropriate\nsegregation of duties and limited access to critical information on a need only basis.\nThis task was completed largely through its Standardized Security Profile Project\n(SSPP). An employee\xe2\x80\x99s profile is the tool used to control access to SSA\xe2\x80\x99s databases.\nSSPP is a full scale project begun several years ago to compare system user access\nassignments to job responsibilities. SSPP involved components throughout the Agency\nand the review of access to millions of sensitive records.\n\nTo prevent the reoccurrence of these issues, SSA needs to continue the procedures\nthat resolved the reportable condition, such as:\n\n   \xe2\x80\xa2   SSA needs to update and develop new configuration standards when\n       appropriate.\n   \xe2\x80\xa2   SSA should continue monitoring the Agency\xe2\x80\x99s devices for compliance with the\n       configuration standards.\n   \xe2\x80\xa2   SSA needs to continue the work of the SSPP and regularly monitor the level of\n       access to significant data.\n\nSSA took additional steps to protect its critical information infrastructure and systems\nsecurity in a variety of ways. For example, SSA\xe2\x80\x99s Critical Infrastructure Protection\nworkgroup continuously works to ensure Agency compliance with various directives,\nsuch as HSPDs and the Federal Information Security Management Act (FISMA) of 2002\n(Pub. L. No. 107-347). To comply with HSPD 7, SSA submitted its Critical Federal\nInfrastructure Protection Plan to OMB in 2004; SSA continues to work with OMB to\nresolve any outstanding issues regarding its plan. The Agency recently created a\nworkgroup, which coordinates with other agencies and OMB to address HSPD 12.\nFurther, SSA routinely releases security advisories to its employees and has hired\noutside contractors to provide expertise in this area.\n\nSSA continues to improve its security program to better comply with FISMA and makes\nstrides towards reaching green in the PMA e-Government initiative. Some of the\nspecific steps the Agency has taken include:\n\n   \xe2\x80\xa2   participating in Pinnacle, the Government-wide contingency test;\n   \xe2\x80\xa2   improving its automated tool to better track security weaknesses and help\n       monitor their resolution; and\n   \xe2\x80\xa2   improving tracking of security training for SSA staff with significant security\n       responsibilities.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                        10\n\x0c                                 Service Delivery\nOne of SSA\xe2\x80\x99s strategic goals is to deliver high-quality \xe2\x80\x9ccitizen-centered\xe2\x80\x9d service. This\ngoal encompasses traditional and electronic services to applicants for benefits,\nbeneficiaries and the general public. It includes services to and from States, other\nagencies, third parties, employers, and other organizations, including financial\ninstitutions and medical providers. It also includes basic operational services including,\nthe representative payee process, managing human capital and e-Government.\n\nThe integrity of the representative payee process is a specific challenge within this area.\nWhen SSA determines a beneficiary cannot manage his or her benefits, it selects a\nrepresentative payee who manages and solely uses the payments for the beneficiary's\nneeds. SSA reported that there are about 5.4 million representative payees who\nmanage benefits for about 6.9 million beneficiaries. In March 2004, the President\nsigned SSPA into law. The SSPA provides several new safeguards for those\nindividuals who need a representative payee, while presenting significant challenges to\nSSA to ensure representative payees meet beneficiaries' needs.\n\nDuring our review, Nation-wide Review of Individual Representative Payees for the\nSocial Security Administration (A-13-05-25006), we confirmed the existence of all\nbeneficiaries that were in the care of the 275 representative payees included in our\nsample. We found, through personal observation and interviews, that the food, clothing\nand shelter needs of most beneficiaries were being met. We also found several\nrepresentative payees did not comply with certain SSA policies. Specifically, we\ndetermined eight payees functioned as conduit payees. Further, we found five payees\nfailed to report events that could have affected the amount of benefit payments the\nbeneficiaries received or the beneficiaries\xe2\x80\x99 right to receive benefit payments. In some\ninstances, more than one condition may have applied to the same payee.\n\nAs of January 2005, GAO continued to identify strategic human capital management on\nits list of high-risk Federal programs and operations. In addition, Strategic Management\nof Human Capital is one of five Government-wide initiatives contained in the PMA. As\nof June 30, 2005, SSA continued to score \xe2\x80\x9cgreen\xe2\x80\x9d for Human Capital on OMB\xe2\x80\x99s PMA\nScorecard.\n\nSSA is being challenged to address increasing workloads, due to the baby boom\ngeneration retiring and entering their disability prone years, at the same time its\nworkforce is retiring. Improved productivity is essential for SSA to meet the increasing\nworkload and retirement wave challenges ahead. Technology is essential to achieving\nefficiencies and enabling employees to deliver the kind of service that every claimant,\nbeneficiary and citizen needs and deserves.\n\nThe e-Government initiative of the PMA directs the expanded use of the Internet to\nprovide faster and better access to Government services and information. Specifically,\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                      11\n\x0ce-Government instructs SSA to help citizens find information and obtain information\norganized according to their needs.\n\nSSA Has Taken Steps to Address this Challenge\nSSA has taken various actions regarding its representative payee process. It has\nestablished workgroups to implement each section of SSPA related to representative\npayees and has issued two reports in FY 2005 to Congress:\n\n   \xe2\x80\xa2   Annual Report on the Results of Periodic Representative Payee Site Reviews\n       and Other Reviews (January 2005), and\n   \xe2\x80\xa2   Report on the Sufficiency of the Social Security Administration\xe2\x80\x99s Representative\n       Payee Procedures in the Prevention of Misuse of Benefits (November 2004).\n\nSSA also issued to Congress a preliminary report from the National Academies as\nrequired by Section 107 of SSPA. SSA contracted with the National Academies to\ndetermine (1) the extent to which representative payees are not performing their duties\nas payees in accordance with SSA standards for payees, (2) which types of payees\nhave the highest risk of misuse of benefits, (3) ways to reduce those risks and better\nprotect beneficiaries, (4) observations about the adequacy of payee\xe2\x80\x99s actions, and (5)\nrecommendations for change or further review. The National Academies plans to\nsubmit its final report to SSA in early 2007.\n\nRegarding human capital, SSA reports developing and implementing competency-\nbased training for \xe2\x80\x9cfront-line\xe2\x80\x9d employees; implementing a national recruitment strategy\nto bring the \xe2\x80\x9cbest and brightest\xe2\x80\x9d individuals to the Agency; and developing a Human\nCapital Plan to respond to the challenge of hiring, developing and retaining a highly\nskilled, high performing and diverse workforce.\n\nAccording to SSA, its e-Government strategy is based on the deployment of high\nvolume, high payoff applications, for both the public and the Agency\xe2\x80\x99s business\npartners. To meet increasing public demands, SSA has aggressively pursued a\nportfolio of services that enable online transactions and increase opportunities for the\npublic to conduct SSA business electronically in a private and secure environment.\nOver the past 6 years, SSA has launched the Internet Social Security Benefit\nApplication and created on-line requests for Social Security Statements, replacement\nMedicare cards, proof of income letters and changes of address. In FY 2005, SSA\naccomplished such e-Government enhancements as releasing software to enable the\npublic to confidentially input data regarding their resources to determine eligibility and/or\napply for Medicare Part D subsidy, a program that will reduce out of pocket costs for\nprescription drugs for those who have limited income and resources. Another\nenhancement was the implementation of software to improve the usability and common\nlook and feel of the SSA.gov WebPages.\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                        12\n\x0c                                          Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Related Office of the Inspector General Reports\nAPPENDIX C \xe2\x80\x93 Office of the Inspector General Contacts\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)\n\x0c                                                                     Appendix A\n\nAcronyms\n ALJ              Administrative Law Judge\n CDI              Cooperative Disability Investigations\n CDR              Continuing Disability Review\n DDS              Disability Determination Services\n DHS              Department of Homeland Security\n DI               Disability Insurance\n ESF              Earnings Suspense File\n FISMA            Federal Information Security Management Act\n GAO              Government Accountability Office\n HSPD             Homeland Security Presidential Directives\n IRTPA            Intelligence Reform and Terrorism Prevention Act\n OIG              Office of the Inspector General\n OMB              Office of Management and Budget\n PAR              Performance and Accountability Report\n PMA              President\xe2\x80\x99s Management Agenda\n SSA              Social Security Administration\n SSI              Supplemental Security Income\n SSN              Social Security Number\n SSNVS            Social Security Number Verification Service\n SSPA             Social Security Protection Act of 2004\n\n\n\n\nIG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)\n\x0c                                                                      Appendix B\n\n  Related Office of the Inspector General Reports\n    Management Challenge Area, Report Title and                             Report\n          Common Identification Number                                      Issued\n                Social Security Number Integrity and Protection\nEmployers with the Most Suspended Wage Items in the 5-Year            October 26, 2004\nPeriod 1997 through 2001 (A-03-03-13048)\n\nCongressional Response Report: Follow-up of Federal Agencies\xe2\x80\x99         February 28, 2005\nControls over the Access, Disclosure, and Use of Social Security\nNumbers by External Entities (A-08-05-25104)\n\nAssessment of the Enumeration at Entry Process (A-08-04-14093)        March 15, 2005\n\nDepartment of Defense Wage Items in the Earnings Suspense File        March 29, 2005\n(A-03-04-14041)\n\nSocial Security Number Cards Issued After Death (A-06-03-13078)       April 20, 2005\n\nSocial Security Number Misuse in the Service, Restaurant, and         April 29, 2005\nAgriculture Industries (A-08-05-25023)\n\nReported Earnings Prior to the Issuance of a Social Security Number   August 5, 2005\n(A-03-04-14037)\n\nImpact of Nonimmigrants Who Continue Working After Their              September 9, 2005\nImmigration Status Expires (A-08-05-15073)\n\n                      Management of the Disability Process\n\nSocial Security Administration\xe2\x80\x99s Ticket to Work Program               December 20, 2004\n(A-02-03-13079)\n\nCongressional Response Report: Review of Milwaukee Office of          August 2, 2005\nHearings and Appeals (A-13-05-25140)\n\nThe Social Security Administration\xe2\x80\x99s Match of Disability Insurance    August 5, 2005\nRecords with Texas Workers\xe2\x80\x99 Compensation Payment Data\n(A-06-05-15024)\n\n\n\n\n  IG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                B-1\n\x0c     Management Challenge Area, Report Title and                                 Report\n           Common Identification Number                                          Issued\nFollow-up of Pending Workers\xe2\x80\x99 Compensation: The Social Security            September 9, 2005\nAdministration Can Prevent Millions in Title II Disability\nOverpayments (A-08-05-25132)\n\n                                   Improper Payments\n\nThe Social Security Administration\xe2\x80\x99s Clean-Up of Title II Disability       October 14, 2004\nInsurance Cases with a Workers\xe2\x80\x99 Compensation Offset\n(A-04-03-13042)\n\nSocial Security Administration\xe2\x80\x99s Controls Over the Title XVI               October 25, 2004\nOverpayment Waiver (A-06-03-13077)\n\nSchool Attendance by Student Beneficiaries Over Age 18                     January 31, 2005\n(A-09-04-14013)\n\nRepresentative Payee Reports Indicating Excess Conserved Funds             March 28, 2005\nfor Supplemental Security Income Recipients (A-13-03-13065)\n\nIndividuals Receiving Multiple Auxiliary or Survivors Benefits             March 28, 2005\n(A-01-05-25015)\n\nDisabled Supplemental Security Income Recipients with Earnings (A-         April 11, 2005\n01-04-14085)\n\nThe Social Security Administration\xe2\x80\x99s Controls over the Suspension of       April 12, 2005\nTitle XVI Overpayment Collection Efforts (A-04-04-24029)\n\nIndividuals Receiving Benefits under Multiple Social Security              April 29, 2005\nNumbers at the Same Address (A-01-05-25002)\n\nSocial Security Administration\xe2\x80\x99s Administrative Finality Rules         (A- July 26, 2005\n01-04-24024)\n\nFollow-up: The Social Security Administration Can Recover Millions         August 24, 2005\nin Medicare Premiums Related to Retirement or Disability Payments\nMade After Death (A-08-05-15112)\n\n          Internal Control Environment and Performance Measures\n\nAdministrative Costs Claimed by the South Carolina Disability              October 7, 2004\nDetermination Services (A-04-04-14053)\n\n\n\n\n  IG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                        B-2\n\x0c    Management Challenge Area, Report Title and                             Report\n          Common Identification Number                                      Issued\nPerformance Indicator Audit: Processing Time (A-02-04-14072)          October 25, 2004\n\nInspector General Statement on the Social Security Administration\xe2\x80\x99s   November 10, 2004\nMajor Management Challenges (A-02-05-15092)\n\nTop Issues Facing Social Security Administration Management \xe2\x80\x93         November 10, 2004\nFiscal Year 2005 (A-44-05-25111)\n\nPerformance Indicator Audit: Disability Determination Services Net    November 10, 2004\nAccuracy Rate \xe2\x80\x93 Allowances and Denials Combined\n(A-15-04-14074)\n\nOversight of the Fiscal Year 2004 Financial Statement Audit           November 10, 2004\n(A-15-04-34084)\n\nPerformance Indicator Audit: Productivity (A-15-04-14073)             November 17, 2004\n\nPerformance Indicator Audit: General Observations                     January 6, 2005\n(A-15-05-25096)\n\nAdministrative Costs Claimed by the South Dakota Disability           February 25, 2005\nDetermination Services (A-15-03-13060)\n\nIndirect Costs Claimed by the Arizona Disability Determination        March 28, 2005\nServices (A-09-04-14010)\n\nAdministrative Costs Claimed by the Ohio Bureau of Disability         May 27, 2005\nDetermination (A-05-04-14028)\n\nAdministrative Costs Claimed by the New Hampshire Disability          May 27, 2005\nDetermination Services (A-01-05-15012)\n\nAdministrative Costs Claimed by the Iowa Disability Determination     June 7, 2005\nServices (A-07-04-14087)\n\nIndirect Costs Claimed by the Oregon Disability Determination         June 7, 2005\nServices (A-09-05-15001)\n\nAdministrative Costs Claimed by the Alaska Disability Determination   July 7, 2005\nServices (A-09-05-15025)\n\nPerformance Indicator Audit: Job Enrichment Opportunities             August 12, 2005\n(A-02-05-15119)\n\n\n\n  IG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                  B-3\n\x0c    Management Challenge Area, Report Title and                             Report\n          Common Identification Number                                      Issued\nAdministrative Costs Claimed by the Delaware Disability               August 19, 2005\nDetermination Services (A-13-05-15011)\n\nAdministrative Costs Claimed by the Pennsylvania Bureau of            August 31, 2005\nDisability Determination (A-15-04-14080)\n\n            Critical Infrastructure Protection and Systems Security\n\nThe Social Security Administration\xe2\x80\x99s Compliance with the Employee     October 14, 2004\nRetirement Income Security Act (A-14-04-24090)\n                                                                      August 4, 2005\nState Disability Determination Services\xe2\x80\x99 Removal of Sensitive\nInformation from Excessed Computers (A-14-05-15063)\n\n                                     Service Delivery\n\nFamily Services, Inc., of Charleston, South Carolina, A Fee-for-      October 1, 2004\nService Representative Payee for the Social Security Administration\n(A-13-04-14002)\n\nManagement of Allegations by the Social Security Administration\xe2\x80\x99s     October 15, 2004\nOffice of Systems (A-13-04-14047)\n\nSeattle Mental Health Institute \xe2\x80\x93 An Organizational Representative    October 26, 2004\nPayee for the Social Security Administration (A-09-04-14015)\n\nThe Effects of Staffing on Hearing Office Performance                 March 30, 2005\n(A-12-04-14098)\n\nSocial Security Administration\xe2\x80\x99s Controls for Concurrently Entitled   April 11, 2005\nBeneficiaries with Representative Payees (A-05-04-13058)\n\nNation-wide Review of Individual Representative Payees for the        July 26, 2005\nSocial Security Administration (A-13-05-25006)\n\nOffice of Hearings and Appeals Mega-site Information and Bar-         August 25, 2005\nCoding Systems (A-12-05-15085)\n\n\n\n\n  IG Statement on SSA\xe2\x80\x99s Major Management Challenges (A-02-06-16050)                   B-4\n\x0c                                                                        Appendix C\n\nOffice of the Inspector General Contacts\nWalter Bayer, Director                         Social Security Number Integrity and\nKim Byrd, Director                             Protection\n\nMark Bailey, Director                          Management of the Disability Process\n\nPaul Davila, Director                          Improper Payments\nJudith Oliveira, Director\n\nTim Nee, Director                              Internal Control Environment and\nVictoria Vetter, Acting Director               Performance Measures\n\nKitt Winter, Director                          Critical Infrastructure Protection and\n                                               Systems Security\n\nJim Klein, Director                            Service Delivery\nShirley Todd, Director\n\n\nFor additional copies of this report, please visit our web site at http://www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 966-3218.\nRefer to Common Identification Number A-02-06-16050.\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"